Multiple fiber routers are being compromised by botnets using 0-day

This is our 3rd IoT 0-day series article, in the past 30 days, we have already blogged about 2 groups targeting DrayTek CPE 0-day here [1], and Fbot botnet targeting Lilin DVR 0-day here [2]. Apparently while most botnets play catchup games, some have deep resources and probably deep pocket to get hold of the public unknown exploits. Our botnet researchers are fascinated by this and will see if this is a new trend.

On February 28, 2020, we noticed the Moobot botnet [3] successfully used a new exploit (two steps) to spread.

On March 17, we confirmed the exploit was a 0-day and reported the result to CNCERT. We also contacted the vendor but was told this problem should not be happening because the default config of the device should not have this issue (the reality is different) so they won’t take this case from us.

On March 18, the Exploit Database [4] website released a Netlink GPON router remote command execution vulnerability PoC, which matches the 0-day vulnerability we observed. However, the PoC lefts out a crucial prerequisite – another vulnerability needs to be used together with this PoC for it to work. So, a successful execution of the injected commands will not have the target device compromised.

On March 19th, we observed ongoing exploit attempts to propagate Gafgyt botnet samples using the above PoC, and few days later, on March 26, we saw the exploit attempt adopted into Gafgyt bots and bots carried out internet wide scan (worm behavior).

Luckily, unlike Moobot, this botnet author was not aware of the aforementioned precondition, so it did not work out as expected and the scans would mostly fail.

On March 24th, we noticed another wave of exploit attempts to spread the Fbot botnet just like Gafgyt, with same failed outcome(not working).

Till this day, we have discovered that a total of 9 vendors are affected, it is likely most of the vendors are OEM products of the same original vendor.

The PoC has been published publicly and various botnets are taking advantage of it already, we informed CNCERT all the details, and we think it is necessary to inform the public this ongoing threat. We are not going to share the vendor name though, as we have no idea if there is going to be any action taken by them.

Vulnerability analysis

Prerequisite

As we mentioned above, just utilizing the PoC will not have the desired result, a successful execution needs 2 steps, the first step involves another vulnerability. We are not going to share this part publicly.

The Exploitdb PoC

Vulnerability Type: remote command execution Details: The function formPing() in the Web server program /bin/boa, When it processes the post request from /boaform/admin/forming, it did not check the target_addr parameters before calling the system ping commands, thereby a command injection becomes possible.

Suggestions

We recommend that users check and update their device firmwares in a timely manner, and check whether there are default accounts that should be disabled.

We recommend the following IoCs to be monitored and blocked on the networks where it is applicable.

For users using our DNSmon system, all the Domains have been automatically blocked.

Contact us

Readers are always welcomed to reach us on twitter, or email to netlab at 360 dot cn.